As I talked about last week, Microsoft was launching some new Intune functions. One of this, which is highly sought after and asked about, is Conditional Access for browser access for O365 workloads. I talked about it a bit in my blog note below:

Conditional access for browser

This has easily addressed one of the biggest customer concerns I’ve ran into, where ADFS can’t conditionally block service-level access to Office 365.

I’ve been waiting for some time now, and finally, Intune will offer the ability to control Conditional Access to Exchange Online and SharePoint Online (and by proxy OneDrive for Business). In this model, you can control access to these from only supported web browsers on managed and compliant devices (iOS & Android). If they are not enrolled/compliant, just like traditional Conditional Access, they will be prompted to enroll their device before allowing sign-in.

As far as support…

You can restrict access to OWA for Exchange Online, SharePoint / OneDrive for Business when accessed from a browser on iOS and Android devices. Access will only be allowed from only supported browsers on compliant devices:

  • Safari (iOS)
  • Chrome (Android)
  • Managed Browser (iOS and Android)

Unsupported browsers will be blocked.

NOTE: The OWA apps for iOS and Android are not supported. They should be blocked through ADFS claims rules.

Let’s take a look at how it’s configured!

First, let’s take a look at the new policy settings in Intune under the Conditional Access policies for Exchange Online and SharePoint Online/OneDrive for Business.

You’ll see our new options here, under “Outlook Web Access (OWA)” and “Browser Access to SharePoint and OneDrive for Business”

062916_1747_Configuring1.png 062916_1747_Configuring2.png

Note that once you check that box, it is enforced only for your targeted groups, just like other Conditional Access Policies. That means that if you don’t have a blanket policy covered for your entire organization, just selected groups, then folks not in that group would be exempt and wouldn’t be blocked. This is important if you’re in the process of moving to Intune with Conditional Access or testing.

You should note that these settings applies today only to mobile devices (today).You can choose to allow access to Exchange Online, SPO or OneDrive for Business only through the supported browsers: Safari for iOS, and Chrome for Android. Access from other browsers will be blocked.

The same platform restrictions you selected for Application access for Outlook also apply here. Meaning if you aren’t protecting Android devices with Conditional Access then the Browser settings will not be applicable.

To identify the device that is used to access the service, Azure Active Directory will issue a TLS certificate to the device which will be used to certify connectivity via the browser

Let’s start by checking the respective boxes.

062916_1747_Configuring3.png 062916_1747_Configuring4.png

Let’s go ahead and test this.


First we’ll open a non-native browser, such as Firefox. We’ll navigate to


And we can see that we get a prompt to

We can see that we get notified (because we’re using a non-native browser) that we are not enrolled/compliant.


Now let’s try via the native Safari browser


We’ll get a certificate notification


And we’re allowed right through once we chose that certificate.



First we’ll open a non-native browser, such as Firefox. We’ll navigate to


And we can see that we get a prompt to

We can see that we get notified (because we’re using a non-native browser) that we are not enrolled/compliant.


Now let’s try via the native Chrome browser


We’ll get a certificate notification. It’s likely you don’t currently have any certificates to use, so I hit cancel.



On Android devices, users must enable the browser access. To do this the end-user must enable the “Enable Browser Access” option on the enrolled device.

Let’s launch the Company Portal app and go to the Settings page in the upper right corner


At the bottom, choose Enable Browser Access.

You’ll see it import a certificate and you’ll get a notification.



Now let’s try with Chrome again. You’ll see we have access!


Leave a Reply

Your email address will not be published. Required fields are marked *